Re: allow specifying direct role membership in pg_hba.conf

On 5/13/21 7:38 PM, Bossart, Nathan wrote:
> Hi hackers,
>
> I've attached a small patch that allows specifying only direct members
> of a group in pg_hba.conf.  The "+" prefix offered today matches both
> direct and indirect role members, which may complicate some role
> setups.  For example, if you have one set of roles that are members of
> the "pam" role and another set that are members of the "scram-sha-256"
> role, granting membership in a PAM role to a SCRAM role might
> inadvertently modify the desired authentication method for the
> grantee.  If only direct membership is considered, no such inadvertent
> authentication method change would occur.
>
> I chose "&" as a new group name prefix for this purpose.  This choice
> seemed as good as any, but I'm open to changing it if anyone has
> suggestions.  For determining direct role membership, I added a new
> function in acl.c that matches other related functions.  I added a new
> role cache type since it seemed to fit in reasonably well, but it seems
> unlikely that there is any real performance benefit versus simply
> open-coding the syscache lookup.
>
> I didn't see any existing authentication tests for groups at first
> glance.  If folks are interested in this functionality, I can work on
> adding some tests for this stuff.
>

Do we really want to be creating two classes of role membership?


cheers


andrew

--
Andrew Dunstan
EDB: https://www.enterprisedb.com